| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Sep 2020 08:05:58 +0800
From: Nicolas Boichat <drinkcat@...omium.org>
To: Bjorn Andersson <bjorn.andersson@...aro.org>
Cc: Nicolas Boichat <drinkcat@...omium.org>,
Mathieu Poirier <mathieu.poirier@...aro.org>,
Matthias Brugger <matthias.bgg@...il.com>,
Ohad Ben-Cohen <ohad@...ery.com>,
Pi-Hsun Shih <pihsun@...omium.org>,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
linux-mediatek@...ts.infradead.org,
linux-remoteproc@...r.kernel.org
Subject: [PATCH v3] rpmsg: Avoid double-free in mtk_rpmsg_register_device
If rpmsg_register_device fails, it will call
mtk_rpmsg_release_device which already frees mdev.
Fixes: 7017996951fd ("rpmsg: add rpmsg support for mt8183 SCP.")
Signed-off-by: Nicolas Boichat <drinkcat@...omium.org>
Reviewed-by: Mathieu Poirier <mathieu.poirier@...aro.org>
---
Changes in v3:
- 12-char Fixes tag (Mathieu Poirier)
Changes in v2:
- Drop useless if and ret variable (Markus Elfring)
drivers/rpmsg/mtk_rpmsg.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/drivers/rpmsg/mtk_rpmsg.c b/drivers/rpmsg/mtk_rpmsg.c
index 83f2b8804ee9..96a17ec29140 100644
--- a/drivers/rpmsg/mtk_rpmsg.c
+++ b/drivers/rpmsg/mtk_rpmsg.c
@@ -200,7 +200,6 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev,
struct rpmsg_device *rpdev;
struct mtk_rpmsg_device *mdev;
struct platform_device *pdev = mtk_subdev->pdev;
- int ret;
mdev = kzalloc(sizeof(*mdev), GFP_KERNEL);
if (!mdev)
@@ -219,13 +218,7 @@ static int mtk_rpmsg_register_device(struct mtk_rpmsg_rproc_subdev *mtk_subdev,
rpdev->dev.parent = &pdev->dev;
rpdev->dev.release = mtk_rpmsg_release_device;
- ret = rpmsg_register_device(rpdev);
- if (ret) {
- kfree(mdev);
- return ret;
- }
-
- return 0;
+ return rpmsg_register_device(rpdev);
}
static void mtk_register_device_work_function(struct work_struct *register_work)
--
2.28.0.402.g5ffc5be6b7-goog
Powered by blists - more mailing lists